- Relative value
- Location ID
- Threat risk
- Asset tag
2.
What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?
- Risk exposure report
- Threats-vulnerabilities-assets worksheet
- Costs-risks-prevention database
- Threat assessment catalog
3.
Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?
- business continuity plan
- incident response plan
- disaster recovery plan
- damage control plan
4.
The only use of the acceptance risk control strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following?
- Determined the level of risk posed to the information asset
- Performed a thorough cost-benefit analysis
- Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset
- Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability
5.
Which of the following is NOT a valid rule of thumb on risk control strategy selection?
- When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack.
- When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss.
- When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited.
- When the attacker’s potential gain is less than the costs of attack: Apply protections to decrease the attacker’s cost or reduce the attacker’s gain, by using technical or operational controls.
6.
Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?
- evaluation and funding
- review and reapplication
- monitoring and measurement
- analysis and adjustment
7.
Which law extends protection to intellectual property within the United States, which includes words published in electronic formats?
- Freedom of Information Act
- Security and Freedom through Encryption Act
- Digital Mellinium Copyright Act
- U.S. Copyright Law
8.
Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls.
- deterrence
- remediation
- prosecution
- rehabilitation
Problems with benchmarking include all but which of the following?
- Benchmarking doesn’t help in determining the desired outcome of the security process
- Organizations don’t often share information on successful attacks
- Recommended practices change and evolve, thus past performance is no indicator of future success
- Organizations being benchmarked are seldom identical
10.
Organizations must consider all but which of the following during development and implementation of an InfoSec measurement program?
- Data that supports the measures needs to be readily obtainable
- Only repeatable InfoSec processes should be considered for measurement
- Measurements must be useful for tracking non-compliance by internal personnel
- Measurements must yield quantifiable information
No comments:
Post a Comment